teissTalk: A playbook for new CISOs - learnings from years in the trenches

On 11 July 2024, teissTalk host Thom Langford was joined by Paul Watts, Distinguished Analyst, Information Security Forum (ISF); and Dr Andrea Cullen, Co Founder/Co CEO, CAPSLOCK..

Views on news 

The first 100 days as a new CISO are a whirlwind of assessing risks, building relationships and establishing priorities. However, by keeping focused on the fundamentals like identity and user access, data and systems, and crafting a cohesive security story, new CISOs will set themselves up for long-term success. However, before getting done all the things that the article talks about, you must learn the business first. Request a tour around the company and ask the fundamental questions. Apart from what’s mentioned in the article, incident response is also key as, if a new CISO gets that right, they are more likely to be able to sort out whatever is thrown at them. It’s also important that everyone in the company is ready to pull their weight in infosecurity. 

What skillset do CISOs need?

The role of the CISO has evolved. It used to be very techy, but as technology has become a major enabler, CISOs have been propelled onto centre stage. The balance of technical skills v. soft skills has changed accordingly. The way forward is not seeing technical versus soft skills as a dichotomy but as complementary skillsets.

What makes info security professionals effective is taking the tradecraft of security while also putting business outcomes first. And that’s where the role of the BISO comes in, which is a senior cybersecurity leadership position intended to bridge the gap between security and business interests. Also, we have to look at the role of the CISO through the lens of the target operating model, where business units are given autonomy, so they can respond quickly. This way security functions can be integrated into the business itself connecting the security function close to the business. Info security professionals are often good at being pessimistic. However, risk treated in the right way can be an opportunity too. 

Security should never be based on fear. A good security officer today must also be a marketeer, a storyteller, as well as a business analyst. Few CISOs get a meaningful answer to the question `what is your risk appetite?! Risk appetite keeps changing with the times of the year and circumstances, as organisations are often more dynamic than standards allow them to be. Impact can be seen both as real time and strategic, as the C-suite wants to know what is coming over the hill and how it can impact the organisation. To deliver on this,  CISOs need the bandwidths that allows them to think strategically.

The CISO role comes with a lot of stress and burn-out, and security leaders find it extremely hard to unplug. They can have difficulties telling what they should let go or delegate. They must think more about their well-being and acknowledge that they also have some limits. Diversity can help here by demonstrating that there are colleagues who CAN switch off and focus on family or some other matters after work. People who arrive at 9 and leave at the end of the day shouldn’t be seen as underperformers but, rather, be presented as models that others should follow to prevent burnout. 

The panel’s advice

• As a new CISO, think of what value infosecurity can bring to the table.
• The first hundred days aren’t about security but culture, business, relationships and finding out what the role involves in the long term.
• Cyber security has become a blend of art and science.
• Children must be taught about the dangers of the digital world just like they are told about those in the physical world.
• You can’t do security in isolation anymore.
• Create an inclusive environment built on trust and recognition.